In one of the biggest cryptocurrency heists in India, a software engineer from Bengaluru (India) named Rahul Agarwal has been taken into custody for allegedly embezzling Rs 384 crore or around $44 million from CoinDCX, a leading Indian crypto exchange.
The audacious heist took aback both tech and crypto spaces not only because of its size, but for the fact that apparent perpetrator was a trusted insider who had access to sensitive systems inside the exchange. This is what we know so far about Rahul Agarwal, the developing investigation and the potential wider security ramifications for crypto.
Who is Rahul Agarwal?
- Age: 30
- City: Bengaluru
- Hometown: Haridwar, Uttarakhand
- Profession: Software Engineer / DevOps
- Company: Formerly employed at CoinDCX
Rahul Agarwal was employed full-time at CoinDCX as a DevOps engineer His role also provided him with elite access behind the scenes to the exchange’s back-end systems, hot wallet management software and treasury infrastructure — turning him into a major asset, but also allegedly a colossal risk.
What Exactly Happened?
According to investigation reports:
- An anomalous transaction was identified at 2:37 AM on July 19th, 2025; it involved 1 USDT being transferred (seen by the community as a “test run”)
- The hacker siphoned almost ₹384 crores worth of cryptocurrencies (about $44 million) from the treasury of CoinDCX over seven hours, but no funds were taken other than those deposited for safekeeping.
- The funds transited through six different addresses in multiple transactions, the intent likely to hide the movement.
- The leak was traced back to the official work credentials of Rahul Agarwal and his laptop.
How Was the Heist Discovered?
The assistance was detected last week by CoinDCX’s internal systems because of a sharp decline in its crypto reserves. The account system access utilised during the hack matched Rahul’s log-In credentials, as revealed by a forensic audit.
It is possible this was either an inside job, or the work of malware, social engineering, illegal third-party entry etc; according to authorities.
What Did Rahul Agarwal Say in His Defense?
In initial interrogations:
- Rahul has denied allegations of his direct involvement in the hack.
- He said he was doing some freelancing for unspecified clients and getting jobs done through networks such as Telegram and WhatsApp.
- One such freelance job netted him a ₹15 lakh deposit, an amount that made investigators sit up and take notice.
- According to BJP, Rahul claimed that he had received an offer on WhatsApp from a “German number” for work as a freelance and various scripts were shared for execution and they were executed by him using his official laptop.
- According to him, he would not know how the code was meant to be construed.
Was It an Inside Job or Sophisticated Social Engineering?
This question remains at the heart of the investigation.
Two possibilities are being explored:
- Insider Attack: Rahul used his access to orchestrate the hack and move funds to self-owned wallets.
- Credential Compromise: A foreign or local actor manipulated Rahul into executing malicious code unknowingly, taking over his system.
Either way, the access point remained his workstation, making him a key figure in the incident.
Impact on CoinDCX and the Crypto Sector
CoinDCX has assured users that no customer funds were affected, as the stolen amount was from the company’s treasury. However, the platform is now under pressure to:
- Strengthen internal cybersecurity controls
- Implement stricter access protocols
- Audit DevOps processes
- Cooperate with international law enforcement if foreign entities are involved
This breach is a wake-up call for all crypto exchanges operating in India and globally.
Where Are the Stolen Funds Now?
Law enforcement has been tracing the wallets involved with the help of blockchain analysis tools. But there is still uncertainty to whether the cryptocurrencies have been laundered, as funds can be easily laundered through mixers or passed through decentralized exchanges for instance.
Some have suggested the hand of foreign hacking groups although that’s not official.
Legal Charges & Next Steps
Rahul Agarwal has been booked under multiple sections of:
- The Indian Penal Code (IPC) for criminal breach of trust and theft
- The Information Technology Act for unauthorized system access and cybercrime
He is currently in police custody and a cyber team are busy continuing the analysis of the code he triggered as well looking at where some of the transactions came from.
What This Means for Crypto Investors
While this theft was internal and treasury-focused, it underscores a few hard truths:
- Even top exchanges are not immune to internal threats
- Credential hygiene is critical—even among employees
- Crypto regulation in India may now accelerate, focusing more on cybersecurity compliance
Final Thoughts
The arrest of Rahul Agarwal has left the Indian tech community stunned. Whether he was a willing participant or an unknowing pawn, his story reveals how simple oversights in security can lead to multi-crore losses.